JBoss Security Updates for Bedework 3.7
Updated: October 25, 2011
As you may be already aware from messages on the Bedworkwork lists and/or the JBoss list, a vlunerability has been identified with respect to the JBoss JMX console. Although this vulnerability is in JBoss, not Bedework itself, Bedework installations may be affected.
The Bedework 3.7 quickstart has been modified to make the JMX console more secure, as will all future Bedework releases.
Simply performing a subversion update to your existing installation will not address the vulnerability. You will need to to "manually" follow the procedure described below:
1. Locate the <security-constrain> element (around line 101) in the file
jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
and remove the two <http-method> elements, so that it now appears as below
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
2. Red Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it. This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.
To determine if your JBoss instance has been compromised, look in directory
jboss-5.1.0.GA/server/default/deploy/management/
If you see the directory
iesvc.war
then your instance has been infected.
The blog entry below has worm removal and detection information:
http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server
3. Lastly, change the JMX console password. In the Bedework quickstart configuration the userid and password are found in the file
jboss-5.1.0.GA/server/default/conf/props/jmx-console-users.properties
Note that it is not good practice to run any web service as a privileged user. Therefore, to minimizie your risk overall, you should run JBoss under an unprivileged account.